About the rolling data conversion mechanism for MSDP

To ensure that data is encrypted and secured with the highest standards, NetBackup uses the AES encryption algorithm and SHA-2 fingerprinting algorithm beginning with the 8.1 release. Specifically, MSDP uses AES-256 and SHA-512/256.

In NetBackup 8.1, with the introduction of the AES and the SHA-2 algorithms, we want to convert the data that is encrypted and computed with the older algorithms (Blowfish and MD5-like) to the newer algorithms (AES-256 and SHA-512/256).

The environments that are upgraded to NetBackup 8.1 may include Blowfish encrypted data and the MD5-like fingerprints that need to be converted to the new format. To handle the conversion and secure the data, a new internal task converts the current data container to the AES-256 encryption and the SHA-512/256 fingerprint algorithm. This new task is referred to as the rolling data conversion. The conversion begins automatically after an upgrade to NetBackup 8.0. You can control some aspects of the conversion process or stop it entirely.

Rolling data conversion traverses all existing data containers. If the data is encrypted with the Blowfish algorithm, the data is re-encrypted with the AES-256 algorithm. Then a new SHA-512/256 fingerprint is generated. After the conversion, the data container has an additional .map file, in addition to the .bhd and .bin files. The .map file contains the mapping between the SHA-512/256 and the MD5-like fingerprints. It is used for the compatibility between SHA-512/256 fingerprints and MD5-like fingerprints. The .bhd file includes the SHA-512/256 fingerprints.

When you upgrade to NetBackup 8.1.1, there might be encrypted data that is not encrypted using a customer key. The encrypted data must be encrypted by a customer key and to handle the data conversion and secure the data, a new internal task encrypts the existing data using a customer key. After the encryption and the fingerprint rolling conversion completes, the KMS rolling conversion begins.